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Abstract 

We present cTI, the first system for universal left-termination inference of logic programs. 
Termination inference generalizes termination analysis and checking. Traditionally, a ter- 
mination analyzer tries to prove that a given class of queries terminates. This class must be 
provided to the system, for instance by means of user annotations. Moreover, the analysis 
must be redone every time the class of queries of interest is updated. Termination infer- 
ence, in contrast, requires neither user annotations nor recomputation. In this approach, 
terminating classes for all predicates are inferred at once. We describe the architecture of 
cTI and report an extensive experimental evaluation of the system covering many classical 
examples from the logic programming termination literature and several Prolog programs 
of respectable size and complexity. 

KEYWORDS: Termination Inference; Termination Analysis; Logic Programming; Ab- 
stract Interpretation. 



1 Introduction 

Termination is a crucial aspect of program verification. It is of particular impor- 
tance for logic programs flLloyd 19871 |Apt 1997) , since there are no a priori syn- 
tactic restrictions to queries and, as a matter of fact, most predicates programmers 
tend to write do not terminate for their most general queries. In the last fifteen 
years, termination has been the subject of several research works in the field of 
logic programming (see, for instance, i|Francez et al. 19851 |Apt and Pedreschi 1990| 
Ruggicri 1999)). In contrast to what happens for other programming paradigms, 
there are two notions of termination for logic programs fVa sak and Potter 1986): 
existential and universal termination. To illustrate them, assume we are using a 
standard Prolog engine. Existential termination of a query means that either the 
computation finitely fails or it produces one solution in finite time. This does not 
exclude the possibility that the engine, when asked for further solutions, will loop. 
On the other hand, universal termination means that the computation yields all 
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solutions and eventually fails in finite time (if we repeatedly ask for further solu- 
tions). 

Although the concept of existential termination plays an important role in con- 
nection with normal logic programs, it has severe drawbacks that make it not ap- 
propriate in other contexts: existential termination is not instantiation- closed (i.e., 
a goal may existentially terminate, yet some of its instances may not terminate), 
hence it is not and-compositional (i.e., two goals may existentially terminate while 
their conjunction does not); finally, existential termination depends on the textual 
order of clauses in the program. Universal termination is a stronger and much more 
robust concept: it implies existential termination and it is both and-compositional 
and instantiation-closed. 

Existential termination has been the subject of only a few works QVasak and Potter - 1986 
ILevi and Scozzari 19951 IMarchiori 199 61 whereas most research focused on univer- 
sal termination. There are two main directions (see ( |De Schreye and Decorte 1994| ) 
for a survey): characterizing termination ( |Apt and Pedreschi 1990||Apt and Pedreschi 1993| 
Ruggicri 1999| and finding weaker but decidable sufficient conditions that lead to 
actual algorithms, e.g., l|Ullman and Van Gelder 1988llPliimer 1990llVerschaetse~ 1992l. 
Even though our research belongs to both streams, in this paper we focus on an 
intuitive presentation of the implementation of our approach. A companion paper 
presents a complete formalization of our work in the theoretical setting of accept- 
ability for constraint logic programs ( |Mesnard and Ruggieri 2003| ), where we refine 
a necessary and sufficient condition for termination to the sufficient condition im- 
plemented in cTI. 

Our main contribution compared to other automated termination analyzers ( |Lindenstrauss and Sagiv 1997| 
IDecorte 19971 |Speirs et al. 1997| ICodish and Tabocfa 1999|> is that our tool infers 
sufficient universal termination conditions from the text of any Prolog program, 
adopting a bottom-up approach to termination. An important feature of this ap- 
proach first presented in IjMesnard 1996J1 is that there is no need to define in 
advance a class of queries of interest. (If required, these classes can be provided 
after the analysis has finished in order to specialize the obtained results.) Our 
system, called cTI from constraint-based Termination Inference, is written in SIC- 
Stus Prolog. A preliminary account of the work described in this paper appeared 
in IjMesnard and Neume rkel 2001), where we showed that numeric computations 
took most of the execution times. Now cTI relies on the specialized Parma Poly- 
hedra Library jBagnara et al. 20 02 ) , a modern C++ library for the manipulation 
of convex polyhedra that significantly speeds up the analysis. Moreover, cTI has 
been extended so that it can analyze any ISO-Prolog program (jlSO/IEC 1995 
IDeransart et al. 1996|) . The only correctness requirement we currently impose on 
programs is that they must not create infinite rational terms. Hence we assume ex- 
ecution with occurs-check or, equivalently, NSTO programs (i.e., programs that are 
Not Subject to Occur- Check (Deran sart et al. 1991J) and thus are safely executed 
with any standard conforming system) . We point out that simple, sufficient syntac- 
tic methods for ensuring occurs-check freedom are presented in ( |Apt and~P ellcgrini 1994| ) 
while ( |S0ndergaard 19861 |Crnogorac et al. 1996D describe abstract-interpretation 
based solutions. Recently, finite-tree analysis < |Bagnara et al. 2001a||Bagnara et al. 2001b| ) 
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has been proposed to confine infinite rational terms in programs that are not occurs- 
check free. Both the approach described in ( |Mesnard and Ruggicri ~003| ) and the 
cTI system can be extended, with the help of finite-tree analysis, to deal also with 
such programs. 

Throughout the paper we assume a basic knowledge of logic programming (see, 
e.g., ( |Apt 1997| )), constraint logic programming (see, e.g., ( |Marriott and Stuckey 1998| )), 
abstract interpretation (see, e.g., IjCousot and Cousot 199211 1. and propositional /j- 
calculus (see, e.g., i|Clarke et al. 2000j) 'l . In Section[2]we present cTI informally with 
an example analysis. How to use cTI is described in Section [3] An experimental 
evaluation of the system is the subject of Section 0] Related work is discussed in 
Section [5] while Section concludes. 



2 An Overview of cTI 



Our aim is to compute classes of queries for which universal left termination is 
guaranteed. We call such classes termination conditions. More precisely, let P be a 
Prolog program and q a predicate symbol of P. A termination condition for q is a 
set TC g of goals of the form <— c, q(x) where c is a CLP(7i) constraint such that, 
for any goal G £ TC g , each derivation of P and G using the left-to-right selection 
rule is finite. 

Our analyzer uses three main constraint structures: Herbrand terms for the initial 
program P (seen as a CLP(7i) program), non- negative integers, and booleans (P is 
abstracted into both a CLP (AT) and a CLP(i3) program). We illustrate our method 
to infer termination conditions by means of an example. The method consists of six 
distinct steps, which will be illustrated on the following definition for the predicates 
app/3, nrev/2 and app3/4. 



app([] , X, X) . 
app([E|X] , Y, [E|Z]) 
app(X, Y, Z) . 



nrev([], [] ) . 

nrev( [E|X] , Y) :- 
nrev(X, Z) , 
app(Z, [E] , Y) . 



app3(X, Y, Z, U) 
app(X, Y, V), 
app(V, Z, U). 



Step 1: From Prolog to CLP(N). From the Prolog program P, a CLP(AT) pro- 
gram P 1 ^ is obtained by applying a symbolic norm. In our example, we use the 
term-size norm, which is the one cTI applies by default. All ISO-predefined predi- 
cates have been manually pre- analyzed for this norm. Notice that, as explained in 
( |Mesnard and Ruggieri 2003| ), termination inference for pure Prolog programs can 
be based on any linear norm. The symbolic term-size norm is inductively defined 
as follows: 



|| 1 1| term-size \ 0, 
t, 



Yh=1 1 1 U 1 1 term-size, if t = /(*i, . . . ,t„) with 71 > 0; 

if t is a constant; 
if t is a variable. 



For example, ||/(0, 0)|| term-size = 1- All non-monotonic elements of the program 
are approximated by monotone constructs. For instance, Prolog's unsound nega- 
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tion \+ G is approximated by ( (G, false) ; true) . More generally, extra- logical 
predicates are mapped to their first-order counterparts so that the termination 
property is preserved. For our running example, we obtain the following CLP (TV) 
clauses: 



apPA^(0,x,x). 

app^(l + e + x, y, 1 + e + z) 



nrev^-(0, 0). 
nrevA/-(l + e + x, y) ■ 

nxevAf(x, z), 

app^(^, l + e,y). 



app3_v(a;, y, z, u) 



Step 2: Computing a numeric model. A model of the CLP (AT) program is now 
computed. For each predicate p, the model describes, with a finite conjunction 
of linear equalities and inequalities denoted by post^ , the linear inter- argument 
relations that hold for every solution of p. In our example we obtain the following 
model: 



POst^ p (a;, y,z) 
post^ cv (x,?/) 
POst^ p3 (x, y,z,u) 



x + y = z, 

x = y, 

x + y + z = 



The actual computation is performed on the set of nonnegative, infinite precision ra- 
tional numbers, using a fixpoint calculator based on PPL, the Parma Polyhedra Li- 
brary ( Bagn ara et al. 2002| ), and the standard widening IjCousot and Halbwachs 1978 
IHalbwachs 1979|l . In our example the least model is found. In general, however, only 
a less precise model can be determined. 



Step 3: Computing a numeric level mapping. The information provided by the nu- 
merical model is crucial to compute a level mapping \ ■ \^ . Let p be an n-ary 
predicate symbol in the CLP (A/") program. The level mapping associates to p a 
function f p : W l — ► N that is guaranteed to decrease when going from the head of 
the clause to each recursive call(s), if any, for each clause defining p. For example, a 
level mapping | • 1^ such that \m:ev^f(x, y)\^ = x intuitively means: for each ground 
instance 1 of each recursive clause defining nrevw, the first argument decreases when 
going from the head of the clause to the recursive call (since 1 + e + x > x for each 
e, x G N). Since no clause defining appS^ is recursive, the level mapping can be 
defined so that |app3(a;, y, z, t)| = 0. The level mapping computed for our example 
is defined by: 

|app(ar, y, z)\ N = min(.T, z), 
nrev(a;, y)\^ = x, 
|app3(x,y, z,u)\ u = 0. 

This is obtained by means of an improvement of the technique by K. Sohn and 
A. Van Gelder for the automatic generation of linear level mappings. Their algo- 
rithm, which is based on linear programming, is complete in the sense that it will 
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always provide a linear level mapping if one exists IjSohn and Van Gelder 19911. 
Our extension, which is described in IjMesnard and Neum crkcl 2001), consists in 
first computing a constraint over the coefficients of a generic linear level map- 
ping (step 3a). Then we generate a concrete level mapping (step 3b). Notice that 
for a multi-directional predicate (such as app/3) we may get multiple linear level 
mappings. These are combined, with the min operator, into one non-linear level 
mapping. 

In contrast with the well-known standard framework of acceptability, the decrease 
of the level mapping has to be shown only for predicates belonging to the same 
strongly connected component (SCC) of the call graph. Step 5 below will ensure 
that the other calls to predicates from lower SCC's do left terminate. The advantage 
of this approach is twofold: first, the computation of a level mapping, being SCC- 
based, is modular. Secondly, the expressive power of linear level mappings with 
respect to termination is much higher than in the acceptability case. 



Step 4: From CLP(M) to CLP(B). From the CLP(TV) program P M a CLP(i3) 
program, P 8 , is obtained by mapping each natural number to 1 (true), each variable 
symbol to itself, and addition to logical conjunction. 



app B (l,x,x). 

appg(l A e A x, y, 1 A e A z) 



app3 B (x,y,z,u) 

apPs(a;,3/j«)) 
app B (w,z,u). 



nrev B (l, 1). 
nrevg(l A e A x, y) < 
nrevg(a;, z), 
app B (z,l Ae,y). 

The purpose of P B is the one of capturing boundedness dependencies within P or, 
equivalently, rigidity dependencies within the original program. 2 A model for P 
is then computed and a boolean level mapping • \® is obtained from the numerical 
level mapping computed in Step 3. In order to do that, the translation scheme 
outlined above is augmented with the association of the logical disjunction x V y 
to min(j;, y): this means that min(x, y) is a bounded quantity if x or y or both are 
bounded. Here is what we obtain for the example program: 



Post app (a;, y,z) 
postf rcv (x,y) 
POst® pp3 (x, y,z,u) 



(x A y) z 
x <-> y, 
(x A y A z) 



|app(x,?/,z)| e 
|nrev(j;,y)| e 



u, 



|app3(x,y,z,u)| e = 1. 



For instance, as we use the term-size norm, this model tells us that for any computed 
answer 8 to a call nrev(x, y), x8 is ground if and only if yd is ground. 



Step 5: Computing boolean termination conditions. The information obtained from 
P B for each program point is combined with the level mapping by means of the 
following boolean /^-calculus formula?, whose solution gives the desired boolean 
termination conditions. 



2 A term t is rigid with respect to a symbolic norm || ■ || if and only if its measure is invariant by 
instantiation, i.e., = \\t8\\ for any substitution 9. 
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P re a PP = vT ■ M X ,V, Z ) ■ 
I i \\ B 

3, i',z':|(i«(lAeA x')) A (z <-> (1 A e A z'))) -»■ T(V , y, z') 



P re mov = ^r. A(ar, y) . 

|nrev(a;,?;)| K (1) 
Ve, a;', z : Ux <-> (1 A e A a;'))) ~> z) (2) 
^Ve,x',z : ((x <-> (1 A e A at')) A POstf rcv (V, z)J -> pre app (z, 1 Ae,y) (3) 
P re a PP 3 = A(x,y,z,u) . 

|app3(x,y,z,u)| i3 
Vu : 1 -> pre app (x,y,w) 

: postf pp (x,$/,u) -> pre app O,z,u) 

Here is the intuition behind such boolean ^-calculus formulae. Consider the nrev/2 
predicate. Its unit clause is taken into account in the computation of the numeric 
and the boolean model. For computing the boolean termination condition pre nrev , 
we consider the clause 

nrevg(a;, y) <— [x <-> (1 A e A x')], nrevg(a;', z), app jB (z, 1 A e, y). 

We are looking for a boolean relation T(x,y) satisfying the following conditions: 

• for each (x, y) in T, the level mapping has to be bounded, which leads to 
condition (1) above; 

• the recursive call to nrev/2 has to terminate, hence condition (2); 

• for any state resulting from the evaluation of the first call, the subsequent call 
to app/3 has to terminate, giving condition (3); 

• finally, we are interested in the weakest solution for T, hence the boolean 
termination condition is defined as a greatest fixpoint: 

pre nrov = ^T. X(x,y) . { (1) A (2) A (3)} . 

Solving the equations for our example gives: 

Pre app (a:,j/,z) = x V z, 
pre nrev (x, yj x, 

P re a PP 3(^ V: z i u ) = ( x A V) v ( x A u )- 

The greatest fixpoint is evaluated with the boolean /i-solver described in IjColin et al. 1997jl 
which computes on the domain Pos of positive boolean formulae l ] Armstrong et al. 1998| ) 
and is based on the boolean solver of SICStus Prolog. 

Step 6: Back to Prolog. In the final step of the analysis, the boolean termination 
conditions are lifted to termination conditions with the following interpretation, 
where the c's are CLP(H) constraints: 
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• each goal '?- c, app(X,Y,Z) . ' left-terminates if X or Z are ground in c; 

• each goal '?- c, nrev(X, Y) . ' left-terminates if X is ground in c; 

• each goal '?- c, app3(X,Y,Z,U) .' left-terminates if X and Y are ground in c 
or X and U are ground in c. 

3 Using cTI 

Once compiled and installed, cTI is invoked with the command 'cti source', where 
the program in 'source' is assumed to be an ISO-Prolog program. The user may 
then control the behavior of cTI with some options. We describe the main ones. 

'-p file' By default, undefined predicates are assumed to fail. The user may enrich 
or redefine the set of built-ins recognized by the system, by specifying '-p file' 
on the command line. This has the effect of importing the predicates whose 
numerical model, boolean model, and termination condition are given in 'file'. 
As predicates imported that way cannot be redefined in the analyzed program, 
this scheme provides a way to overcome potential weaknesses of the analysis. 

'-t timeout_in_ms' The analysis steps 2, 3a, 3b, 4, and 5 described in Section[5]all 
include potentially expensive computations. Because of this, for each such step, 
the computation concerning each SCC is subject to a timeout, whose default 
value is 2 seconds. The '-t' option allows the user to modify this value. 

'-n N' For the computation of the numeric model (step 2), a widening is used after 
n iterations of the approximate fixpoint iteration. The default value for n is 1. 

The user may also modify a program to give specific information for selected 
program points. We illustrate this facility by means of examples; the precise syntax 
is given in the cTI's documentation. One may specify that particular program 
variables will only be bound to non-negative integers and that the analyzer should 
take into account some constraints involving them. For instance, cTI does not detect 
that the following program terminates: 

pl(N) :- N > 0, M is N-l, pl(M). 

pl(N) :- N > 1, A is N»l, Z is N-A, pl(A), pl(Z). 

where the predefined arithmetic functor '>>/2' is the bitwise arithmetic right shift. 
On the other hand, cTI is able to show that p2(N) terminates: 

p2(N) :- cti:{N > 0, M = N-l}, p2(M) . 

p2(N) :- cti:{N > 1, 2*A =< N, N =< 2*A+1, Z = N-A}, p2(A), p2(Z). 

Finally, at any program point, the user can add linear inter-argument relations or 
groundness relations that the analyzer will take for granted. The system can thus 
prove the termination of the goal '?- top.' where the predicate top/0 is defined 
by the program given in Section [3 augmented with the following clause, where the 
term-size of LI is declared to be less than 10 and L2 is declared to be ground: 

top :- cti:{n(Ll) < 10} , app(Ll ,Zs ,L2) , cti : {b(L2) } , app(Xs , Ys ,L2) . 
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While such programs are no longer ISO-Prolog programs, the annotations can be 
automatically removed so as to obtain the original programs back. The assertion 
language currently used in cTI is only experimental, and future versions of the 



system may be based on the language defined in ( Hcrmenegildo et al. 2000 





4 Experimental Evaluation 



Unless otherwise specified, the experiments we present here were all conducted with 
the option (see Section^ _ p predef_for_compatibility.pl, which ensures that 
non-ISO built-ins used in the benchmarks (several of which are written in a non- 
ISO dialect of Prolog) are predefined. This experimental evaluation was done on a 
GNU/Linux system with an Intel i686 CPU clocked at 2.4 GHz, 512 Mb of RAM, 
running the Linux kernel version 2.4, SICStus Prolog 3.10.0 (28.3 MLips), PPL 
version 0.5, and cTI version 1.0. 

Standard programs from the termination literature. Table ^ presents timings and 
results of cTI on some standard LP termination benchmarks. The columns are 
labeled as follows: 

program: the name of the analyzed program (the asterisk near a name means that 

we had to use one of the options that allow to tune the behavior of cTI); 
top-level predicate: the predicate of interest; 

checked: the class of queries checked by the analyzers of (Dcc orte et al. 19991 

|Lindenstrauss and Sagiv 1997| [Speirs et al. 1997| ); 
result: the best result among those reported in (|Decorte et al. 1999l|Lindenstrauss and Sagiv 1997| 

|Speirs et al. 19971 ) (where, of course, 'yes, the program terminates' is better than 

'no, don't know'); 

inferred: the termination condition inferred by cTI (1 means that any call to the 
predicate terminates, means that cTI could not find a terminating mode for 
that predicate); 

time: the running time, in seconds, for cTI to infer the termination conditions. 

For all the examples presented in Tabled our analyzer is able to infer a class 
of terminating queries at least as large than the one checked by the analyzers of 
IjUecorte et al. 1999l|Lindenstrauss and Sagiv 1997||Speirs et al. 1997| ) (although we 
manually tuned cTI three times). We point out that TermiLog ( Lindenstrauss and Sagiv 1997| ) 
and TerminWeb IjCodish and Taboch 1999~)l are sometimes able to prove termina- 
tion whereas cTI is not and vice versa. 

Standard programs from the abstract interpretation literature. Table|2]presents tim- 
ings of cTI using some standard benchmarks 3 from the LP program analysis com- 
munity. We have chosen eleven middle-sized, well-known logic programs. All the 
programs are taken from IjBueno et al. 1994|l except credit and plan. The first 
column of Table El gives the name of the analyzed program and the second one 

3 These have been collected by N. Lindenstrauss, see www.cs.huji.ac.il/-naomil 
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Others 


cTI 


program 


top-lcvcl predicate 


checked 


result 


inferred 


time (s) 


permute 


permute (x, y ) 


X 


yes 


X 


0.03 


duplicate 


duplicate (a;, y) 


X 


yes 


x V y 


0.02 


sum 


sum(i, y, z) 


x A y 


yes 


x\l y\l z 


0.03 


merge 


mcrgc(:r, y, z) 


x Ay 


yes 


(x A y) V z 


0.03 


dis-con 


dis(x) 


X 


yes 


X 


0.03 


reverse 


reverse^, y, z) 


X A 2 


yes 


X 


0.02 


append 


appcnd(:r, y, z) 


x A y 


yes 


xM z 


0.02 


list 


list(x) 


X 


yes 


x 


0.01 


fold 


fold/ a?, z) 


x A y 


yes 


y 


0.02 


lte 


goal 


1 


yes 


l 


0.02 


map 


map fx, v) 


X 


yes 


x V y 


0.02 


member 


member (x, y) 


y 


yes 


y 


0.01 


mergesort 


mergesort (a:, y) 


X 


no 





0.06 


mergesort* 


mergesort (x, y) 


X 


no 


X 


0.07 


mergesort_ap 


mergesort_ap(:r, y, z) 


X 


yes 


z 


0.11 


mergesort_ap* 


mcrgesort_ap(:r, y, z) 


X 


yes 


x V z 


0.11 


naive_rev 


naivc_rcv(x, y) 


X 


yes 


x 


0.03 


ordered 


ordered(:r) 


X 


yes 


X 


0.01 


overlap 


overlap(x, y) 


x Ay 


yes 


x Ay 


0.01 


permutation 


permutation (x, y) 


X 


yes 


x 


0.03 


quicksort 


quicksort (x , y) 


X 


yes 


X 


0.06 


select 


select(:r, y, z) 


y 


yes 


yVz 


0.01 


subset 


subset(x, y) 


x Ay 


yes 


x Ay 


0.02 


sum 


sum(x, y, z) 


z 


yes 


yVz 


0.02 


pl2.3.1 


p(x,y) 


X 


no 





0.01 


pl3.5.6 


p(x) 


1 


no 


X 


0.01 


pl3 . 5 . 6a 


p(x) 


1 


yes 


X 


0.01 


pl4.0.1 


appcnd3(x,y,z,v) 


x A y A z 


yes 


(x A y) V (x A v) 


0.02 


pl4.5.2 


s(x,y) 


X 


no 





0.03 


pl4 . 5 . 3a 


p(x) 


X 


no 





0.01 


pl5.2.2 


turing(a;, y, z, t) 


x A y A z 


no 





0.11 


pl7.2.9 


mult(x, y, z) 


x Ay 


yes 


x Ay 


0.02 


pl7.6.2a 


rcach(:r, y, z) 


x A y A z 


no 





0.02 


pl7 . 6 . 2b 


reach(z, y, z, t) 


x Ay A z At 


no 





0.03 


pl7.6.2c 


rcach(:r, y, z, t) 


x Ay A z At 


yes 


2 A t 


0.04 


pl8.3.1 


minsort(x, y) 


X 


no 


x Ay 


0.04 


pl8.3.1a 


minsort(x, y) 


X 


yes 


X 


0.04 


pl8.4.1 


even(x) 


X 


yes 


X 


0.02 


pl8.4.2 


c(x,y) 


X 


yes 


X 


0.07 



gives the number of its clauses (before any program transformation takes place). 
The following six columns indicate the running times (minimum execution times 
over ten runs), in seconds, for computing: 

a numeric model (step 2); 
C M : the constraint over the coefficients of a generic linear level mapping (step 3a); 
/j,: the concrete level mapping (step 3b); 
Mpi a boolean model (step 4); 
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Table 2. Running times for middle-sized programs. 







analysis 


;imes (s) 






program 


clauses 


Mp 






Mf 


TC 


total 


Q% 


aim 


177 


0.17 


0.48 


0.08 


0.17 


0.06 


1.00 


49% 


bid 


50 


0.03 


0.04 


0.02 


0.02 


0.02 


0.14 


100% 


boyer 


136 


0.07 


0.06 


0.02 


0.08 


0.02 


0.30 


85% 


browse 


30 


0.05 


0.12 


0.03 


0.04 


0.01 


0.26 


60% 


credit 


57 


0.02 


0.03 


0.02 


0.02 


0.01 


0.11 


100% 


peephole 


134 


0.18 


0.56 


0.03 


0.20 


0.06 


1.08 


94% 


plan 


29 


0.02 


0.03 


0.01 


0.02 


0.02 


0.11 


100% 


qplan 


148 


0.20 


0.52 


0.12 


0.18 


0.07 


1.13 


68% 


rdtok 


55 


0.13 


0.39 


0.03 


0.07 


0.02 


0.65 


44% 


read 


88 


0.26 


1.00 


0.04 


0.31 


0.08 


1.72 


52% 


warplan 


101 


0.10 


0.25 


0.01 


0.08 


0.02 


0.49 


33% 




18% 


50% 


6% 


17% 


6% 


100% 




averaj 


;e % of time for each analysis 


phase 



TC: the boolean termination conditions (step 5). 

The next column reports the total runtime in seconds while the last column, labeled 
'Q%', expresses the quality of the analysis, computed as the ratio of the number 
of user-defined predicates that have a non-empty termination condition over the 
total number of user-defined predicates (the result of an analysis presents all the 
user-defined predicates together with their corresponding termination conditions) . 

We note that cTI can prove that bid, credit, and plan are left-terminating: 
every ground atom left-terminates. For any such program P, Tp has only one fix- 
point ( |Apt 19971 Theorem 8.13), which may help proving its partial correctness. 
Moreover, as the ground semantics of such a program is decidable, Prolog is its 
own decision procedure, which does help testing and validating the program. 

On the other hand, when the quality of the analysis is less than 100%, it means 
that there exists at least one SCC where the inferred termination condition is 0. 
Let us call such SCO's failed SCO's. They are clearly identified, which may help the 
programmer. Here are some reasons why cTI may fail: potential non-termination, 
poor numeric model, non-existence of a linear level mapping for a predicate with 
respect to the model, inadequate norm. Also, the analysis of the SCC's which 
depend on a failed SCC is likely to fail, but this does not prevent cTI from analyzing 
other parts of the call graph. 

Some larger programs. Finally, we have tested cTI on the following programs: 

• chat is a parser written by F.C.N. Pereira and D.H.D. Warren; 

• lptp is an interactive theorem prover for Prolog written by R. Stark QStark 1 998 ) ; 

• pl2wam is the compiler from Prolog to WAM of GNU-Prolog 1.1.2 developed 
by D. Diaz ( |Diaz and Codognet 2000| ); 
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Table 3. Running times for larger programs. 







analysis 


;imes (s) 






program 


clauses 


Mp 


c» 


/•« 


M$ 


TC 


total 


timeouts 


Q% 


chat 


515 


3.89 


2.78 


2.84 


2.85 


0.35 


12.80 


1/1/1/0/0 


71% 


lptp 


1298 


3.99 


14.10 


1.84 


2.88 


1.65 


25.10 


0/1/0/0/0 


67% 


pl2wam 


1190 


2.12 


2.37 


0.99 


2.00 


1.29 


9.22 


0/0/0/0/0 


64% 


slice 


952 


2.20 


10.46 


0.13 


2.08 


0.93 


16.20 


0/3/0/0/0 


55% 


symbolic! 


923 


1.49 


0.67 


0.04 


0.61 


0.29 


3.47 


0/0/0/0/0 


58% 



• slice is a multi-language interpreter developed by R. Bagnara and A. Riaudo; 

• symbolicl seems to be a simulator for a Prolog machine. We do not know 
the origin of this file. 

The results of the analysis are given in Table|21 As explained in the previous section, 
we set up a timeout of 2 seconds per SCC for computing a CLP (AT) model, the con- 
straints defining level mappings, a CLP(£>) model, and the termination condition. 
So we have a limit of 10 seconds of CPU time per SCC. The last but one column 
in Table summarizes the number of timeouts for steps 2/3a/3b/4/5, respectively. 

5 Related Work 

The compiler of the Mercury programming language ( |Somogyi et al. 1996| ) includes 
a termination checker, described in (Spci rs et al. 1997| ). The speed of the analyzer 
is quite impressive. We see two reasons for this. First, the termination checker is 
written in Mercury itself. Second, and most importantly, the analyzer takes high 
profit of the mode informations that are part of the text of the program being 
checked. On the other hand, while the running times of cTI are bigger, termination 
inference is a more general problem than termination checking: in the worst case, 
an exponential number of termination checks are needed to simulate termination 
inference. 

TALP IjArts and Zantema 1996(1 is an automatic tool that transforms a well- 
moded logic program (see, e.g., ( |Apt 1997| )) into a term rewriting system such that 
termination of the latter implies termination of the former. The generated term 
rewriting system is then proved terminating by the CiME tool (http : / /cime . lri.fr/) . 
The system seems quite powerful for this class of logic programs. 

(|Oenaim and Codish 2001)) made recently a link between backward analysis ( |King and Lu 2 002 ) 
and termination analysis, which leads to termination inference. Although they used 
a completely different scheme for computing level mappings, the results of the anal- 
ysis on the programs described in Tables ^ and [21 were rather similar, both in time 
and quality, to previous versions of cTI that rely on the rational linear solver of 
SICStus Prolog. Thanks to the PPL, cTI is now significantly faster (speed-ups from 
a factor of two to more than an order of magnitude have been observed) . The latest 
version of TerminWeb emphasizes termination analysis of typed logic programs. 

Termination of logic programming where numerical computations are taken into 
account are studied in QSerebrenik and De Schreye 2001||Serebrenik and De Schreye 2002| ). 
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The authors present some advanced techniques for explicitly dealing with integers 
and floating point numbers computations. 

The size- change termination principle has been proposed in l|Lee et al. 2001|l for 
deciding termination of first-order functional programs. The resulting analysis is 
close to the TermiLog approach QLindenstrauss and Sagiv 1997| ) and the authors 
establish its intrinsic complexity. 

Finally, we point out that the system Ciao-Prolog ( B ueno et al. 1997jl adopts an- 
other approach for termination, based on complexity analysis | |Debray et al. 1 994). 



6 Conclusion 

We have presented cTI, the first bottom-up left-termination inference tool for ISO- 
Prolog, and its experimental evaluation over standard termination benchmarks as 
well as middle-sized and larger logic programs. Running cTI on large programs 
shows that the approach scales up satisfactorily. We believe that, thanks to the 
Parma Polyhedra Library, cTI is today the fastest and most robust termination 
inference tool for logic programs. 

When a SCC is too large, computations relying on projection may become too 
expensive. So we have added for each computation which may be too costly a 
timeout and if necessary we are able to return a value which does not destroy the 
correctness of the analysis, although the quality of the inference is obviously weaker. 
It allows cTI to keep on analyzing the program. As a side effect, the running time 
of cTI is linear with respect to the number of SCC's in the call graph. 

Finally, one can observe that the termination conditions computed in Section 
121 are actually optimal with respect to the language used for describing classes 
of queries. Can one prove such properties automatically? (Mesn ard et al. 2002|) 
presents a first step in this direction. 

Acknowledgments. We would like to thank Ulrich Neumerkel for numerous dis- 
cussions we had on termination inference and for the help he provided while debug- 
ging cTI. Thanks also to the readers of a previous version of this paper for their 
comments. 



Availability. cTI is distributed under the GNU General Public License. The an- 
alyzer, together with the programs analyzed for benchmarking, are available from 
cTI's web site: http : //www . cs . unipr . it/ cTI 
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